Changing Your Password

If PAM is properly configured, you can change your Kerberos password
in two ways:

With
the usual UNIX passwd command. With the Kerberos service
configured, the Solaris passwd command also automatically
prompts for a new Kerberos password.

The advantage of using passwd instead of kpasswd is that you can set
both UNIX and Kerberos passwords at the same time. However, you generally
do not have to change both passwords with passwd.
Often, you can change only your UNIX password and leave the Kerberos password
untouched, or vice-versa.

Note –

The behavior of passwd depends on how the PAM
module is configured. You might be required to change both passwords in some
configurations. For some sites, the UNIX password must be changed, while other
sites require the Kerberos password to change.

With
the kpasswd command. kpasswd is very
similar to passwd. One difference is that kpasswd changes
only Kerberos passwords. You must use passwd if you want
to change your UNIX password.

Another difference is that kpasswd can change a password for a Kerberos principal that is not a valid
UNIX user. For example, david/admin is a Kerberos principal,
but not an actual UNIX user, so you must use kpasswd instead
of passwd.

After you change your password, it takes some time for the change to
propagate through a system (especially over a large network). Depending on
how your system is set up, this delay might take anywhere from a few minutes
to an hour or more. If you need to get new Kerberos tickets shortly after
you change your password, try the new password first. If the new password
doesn't work, try again using the old password.

Kerberos V5 protocol enables system administrators to set criteria
about allowable passwords for each user. Such criteria is defined by the policy set for each user (or by a default policy). See Administering Kerberos Policies for more on
policies.

For example, suppose that user jennifer's policy
(call it jenpol) mandates that passwords be at least eight
letters long and include a mix of at least two types of characters. kpasswd will therefore reject an attempt to use “sloth” as
a password.

% kpasswd
kpasswd: Changing password for jennifer@ENG.EXAMPLE.COM.
Old password: <Jennifer types her existing password>
kpasswd: jennifer@ENG.EXAMPLE.COM's password is controlled by
the policy jenpol
which requires a minimum of 8 characters from at least 2 classes
(the five classes are lowercase, uppercase, numbers, punctuation,
and all other characters).
New password: <Jennifer types 'sloth'>
New password (again): <Jennifer re-types 'sloth'>
kpasswd: New password is too short.
Please choose a password which is at least 4 characters long.

Here, jennifer uses “slothrop49” as a
password. “slothrop49” meets the criteria, because it is over
eight letters long and contains two different types of characters (numbers
and lowercase letters).

% kpasswd
kpasswd: Changing password for jennifer@ENG.EXAMPLE.COM.
Old password: <Jennifer types her existing password>
kpasswd: jennifer@ENG.EXAMPLE.COM's password is controlled by
the policy jenpol
which requires a minimum of 8 characters from at least 2 classes
(the five classes are lowercase, uppercase, numbers, punctuation,
and all other characters).
New password: <Jennifer types 'slothrop49'>
New password (again): <Jennifer re-types 'slothrop49'>
Kerberos password changed.

Example 26–3 Changing Your Password

In the following example, user david changes both
his UNIX password and Kerberos password with passwd.

% passwd
passwd: Changing password for david
Enter login (NIS+) password: <Type the current UNIX password>
New password: <Type the new UNIX password>
Re-enter password: <Confirm the new UNIX password>
Old KRB5 password: <Type the current Kerberos password>
New KRB5 password: <Type the new Kerberos password>
Re-enter new KRB5 password: <Confirm the new Kerberos password>

Note that passwd asks for both the UNIX password
and the Kerberos password. This behavior is established by the default configuration.
In that case, user david must use kpasswd to
set his Kerberos password to something else, as shown next.

This example shows user david changing
only his Kerberos password with kpasswd.

% kpasswd
kpasswd: Changing password for david@ENG.EXAMPLE.COM.
Old password: <Type the current Kerberos password>
New password: <Type the new Kerberos password>
New password (again): <Confirm the new Kerberos password>
Kerberos password changed.

In this example, user david changes the password
for the Kerberos principal david/admin (which is not a
valid UNIX user). He must use kpasswd.

% kpasswd david/admin
kpasswd: Changing password for david/admin.
Old password: <Type the current Kerberos password>
New password: <Type the new Kerberos password>
New password (again): <Type the new Kerberos password>
Kerberos password changed.